Don’t Buy a Data Breach

It’s been nearly 30 years since the movie Pretty Woman hit the silver screen. My clearest recollection from the film is the handshake between Richard Gere and Ralph Bellamy, playing two powerful businessmen concluding the deal between them, one remarking to the other that they would leave the lawyers to the details. Ah, the details, only a Staples “Easy Button” away.

In addition to determining matters as basic as confirming that the target seller owns the assets or stock you intend to purchase, the target’s employment and labor matters, corporate governance, tax matters, security interests, financial, and real estate and non-real estate assets-related issues must all be verified. Checklists for these issues alone can run pages in length. The perceived “nuisance” of due diligence is a necessary evil to help avoid purchasing trouble and potential litigation.

Now, with hacking by state and non-state actors, data breaches (think Target, Equifax, etc.), ransomware, and website hijacking, the purchaser and seller of a business must expand their due diligence efforts regarding the target company to include cybersecurity related issues.

Issues to consider include, but are not necessarily limited to:

Reviewing the target’s security controls and systems, relative to both hardware and software, and the target’s recovery plan in the event of a breach;

Evaluating what measures the target takes to protect its personnel files, financial data, intellectual property, business plans and other information, and what measures the target takes to protect its customers’ identities and privacy;

Obtaining a history of any breaches and responses, including a review of any communications by the target with applicable authorities regarding such breaches and any response efforts;

Evaluating whether the target is required to comply with any industry-specific cybersecurity requirements (e.g., HIPAA for protection of medical information; Gramm-Leach-Bliley for financial matters, or the Children’s Online Privacy Protection Rule for websites directed to, or which collect personal information from, a child under age 13); and

Reviewing the target’s vendors’ own security systems and the extent of each vendor’s access to the target’s systems.

Third-party providers are available to conduct information technology security evaluations, just as environmental companies are available to provide Phase I and additional environmental reviews of real estate to be purchased.

In addition to considering such cyber issues, buyers and sellers must be careful how they share information with each other during the diligence process. Often, parties may simply email information back and forth through non-encrypted email, thereby exposing once secure information. Commercial virtual data rooms, whether offered by a third party or by a party to the transaction, can provide enhanced security, and should be considered.

Initiating and concluding a business purchase without considering the above issues could result in your purchase of a very expensive problem, and if the new assets are integrated into another business’s assets, you could very well spread the disease among several related entities.

If you are considering the purchase or sale of a business or its assets, please contact Kreis Enderle’s experienced counsel to assist.